Sectigo Sponsors Oak, Let’s Encrypt’s Certificate Transparency log

Let’s Encrypt’s new CT log will be a major benefit to the entire CA ecosystem.

Earlier today Sectigo, the world’s largest Certificate Authority,
announced that it would be sponsoring Let’s Encrypt’s new Certificate
Transparency log, Oak, in its first year.

The sponsorship covers a large portion of the funding required
to run such a log and ensures that CAs will have more options for logging
certificates in the future.

There’s a little bit to unpack here, and some might be
wondering why the world’s largest commercial CA would foot most of the bill for
a free CA to do anything. So, today we’ll talk about that, about Certificate
Transparency and about what this beckons for the great SSL/TLS ecosystem.

Let’s hash it out.

Certificate Transparency and You

Certificate Transparency is a good thing. It’s the now mandatory requirement that every trusted CA list every SSL/TLS certificate it issues in a trusted Certificate Transparency log. Or rather, in two logs – as Google has made standard with its Chrome browser.

Right now, there are a handful of organizations, mostly CAs,
that run logs:

Google

DigiCert

Sectigo

Cloudflare

The one thing that hamstrings CT logs is the sheer volume of certificates being issued. For instance, DigiCert runs several CT logs that it cycles through to ensure that it can keep up with the millions of digital certificates being issued every day. And the internet is at the mercy of these CT logs and how well they scale. They are, as Let’s Encrypt’s Josh Aas puts it, “critical infrastructure.”

So, spinning up new CT logs is a net positive for the SSL/TLS
ecosystem and a boon to Let’s Encrypt.

We decided to create and operate a CT log for a few reasons. First, operating a log is consistent with our mission to create a more secure and privacy-respecting Web. We believe transparency increases security and empowers people to make well-informed decisions. Second, operating a log helps us take control of our destiny. Google Chrome requires all new certificates to be submitted to two separate logs, so multiple log options are imperative to our operation. Finally, Let’s Encrypt often issues more than 1M certificates each day, so we wanted to design a CT log that is optimized for high volume. We’ve designed our log to be able to handle submissions from all other publicly trusted Certificate Authorities so they can use Oak to fulfill their logging requirements as well.

Why did Sectigo support this?

There’s a fairly obvious question that may be percolating
for you right now: why would a commercial CA like Sectigo offer to support a
public CA that offers the same products for free?

The answer is two-fold. First of all, it’s a fairly progressive, big-picture move that recognizes Let’s Encrypt’s integral role in the industry. Let’s Encrypt serves a very important segment of the market that was going otherwise unserved. We’re on record as disagreeing with some of its methods, but we absolutely believe in its mission.

Second, as we mentioned earlier, regardless of who’s administering
it having additional CT logging options is good for the entire ecosystem. When
CAs have issues logging certificates it adds delays and nobody wins when that
happens. Having additional CT logs, as well as the new Woodpecker tool Let’s
Encrypt is releasing to monitor them, improves security by giving organizations
the tools to better fight mis-issuance and other issuance-related issues.

“As a member of the CA/Browser Forum, Sectigo is committed to advancing internet security through collaboration with other Certificate Authorities,” said Nick France, CTO of SSL, Sectigo. “Sectigo’s sponsorship of Let’s Encrypt’s efforts to bolster the CT ecosystem is another step in addressing the growing need for certificate transparency tools. It’s an important example of how CAs can work together to ensure the overall internet ecosystem is secure for users and businesses worldwide.”

If it feels like we’ve been talking about Sectigo a lot
lately – we have. Since rebranding from Comodo CA to Sectigo last Fall, the
company has made a major push into IoT security and overhauled its Certificate
Management platform to facilitate zero-touch deployment through integration
with Active Directory. Sectigo is already the world’s largest CA and it’s
putting in the work to further its lead.

Be the first to comment

Author

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. He also designs the visuals for Hashed Out and serves as the Content Manager for The SSL Store™.